chore(deps)(deps): bump the production-dependencies group across 1 directory with 46 updates

[dependabot]

Bumps the production-dependencies group with 38 updates in the / directory:

Package	From	To
cosmiconfig	9.0.0	9.0.1
handlebars	4.7.8	4.7.9
@anthropic-ai/claude-code	2.1.50	2.1.104
@babel/runtime	7.28.6	7.29.2
@borewit/text-codec	0.2.1	0.2.2
@google/genai	1.42.0	1.49.0
@hono/node-server	1.19.9	1.19.14
@modelcontextprotocol/sdk	1.26.0	1.29.0
@supabase/supabase-js	2.97.0	2.103.0
fastmcp	3.33.0	3.35.0
axios	1.13.5	1.15.0
bare-fs	4.5.4	4.7.0
bare-os	3.6.2	3.8.7
bare-stream	2.8.0	2.13.0
bare-url	2.3.2	2.4.0
express-rate-limit	8.2.1	8.3.2
figlet	1.10.0	1.11.0
file-type	21.3.0	21.3.4
fs-extra	11.3.3	11.3.4
fuse.js	7.1.0	7.3.0
gaxios	7.1.3	7.1.4
google-auth-library	10.5.0	10.6.2
hono	4.12.1	4.12.12
koa	3.1.1	3.2.0
mcp-proxy	6.4.0	6.4.6
nan	2.25.0	2.26.2
node-abi	3.87.0	3.89.0
path-to-regexp	8.3.0	8.4.2
pump	3.0.3	3.0.4
qs	6.15.0	6.15.1
side-channel-list	1.0.0	1.0.1
sql.js	1.14.0	1.14.1
strtok3	10.3.4	10.3.5
undici	7.22.0	7.24.8
validator	13.15.26	13.15.35
ws	8.19.0	8.20.0
yaml	2.8.2	2.8.3
zod-to-json-schema	3.25.1	3.25.2

Updates cosmiconfig from 9.0.0 to 9.0.1

Changelog

Sourced from cosmiconfig's changelog.

9.0.1

• Fixed a race condition where multiple instances existing simultaneously could cause cosmiconfig to fail to load TypeScript config files.
• Fixed an issue on Windows where CWD being a short path (e.g. C:\Users\USERNA~1) would cause cosmiconfig to fail to load ESM config files.

Commits

• 9a5cda3 9.0.1
• 2174017 update changelog
• 536d4a0 Prevent race conditions when running multiple instances of cosmiconfig and ...
• 4b48611 remove debug log
• 53d1745 remove more EOL node versions
• 7c1a1e3 replace resolve with realpath
• fcc9084 add additional path.resolve for windows short paths
• 7e995c8 debug
• 52b6b1c drop node 14 build as it seems to fail for unreachable reasons
• db45e38 fix tests on windows (3)
• Additional commits viewable in compare view

Updates handlebars from 4.7.8 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5
  • GHSA-2w6w-674q-4c4q
  • GHSA-3mfm-83xf-c92r
  • GHSA-xhpv-hc6g-r9c6
  • GHSA-xjpj-3mr7-gcpf
  • GHSA-9cx6-37pm-9jff
  • GHSA-2qvq-rjwj-gvw9
  • GHSA-7rx3-28cr-v5wh
  • GHSA-442j-39wm-28r2

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5

Commits

Commits

• dce542c v4.7.9
• 8a41389 Update release notes
• 68d8df5 Fix security issues
• b2a0831 Fix browser tests
• 9f98c16 Fix release script
• 45443b4 Revert "Improve partial indenting performance"
• 8841a5f Fix CI errors with linting
• e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
• e914d60 Improve rendering performance
• 7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
• Additional commits viewable in compare view

Updates @anthropic-ai/claude-code from 2.1.50 to 2.1.104

Release notes

Sourced from @​anthropic-ai/claude-code's releases.

v2.1.104

No release notes provided.

v2.1.101

What's changed

• Added /team-onboarding command to generate a teammate ramp-up guide from your local Claude Code usage
• Added OS CA certificate store trust by default, so enterprise TLS proxies work without extra setup (set CLAUDE_CODE_CERT_STORE=bundled to use only bundled CAs)
• /ultraplan and other remote-session features now auto-create a default cloud environment instead of requiring web setup first
• Improved brief mode to retry once when Claude responds with plain text instead of a structured message
• Improved focus mode: Claude now writes more self-contained summaries since it knows you only see its final message
• Improved tool-not-available errors to explain why and how to proceed when the model calls a tool that exists but isn't available in the current context
• Improved rate-limit retry messages to show which limit was hit and when it resets instead of an opaque seconds countdown
• Improved refusal error messages to include the API-provided explanation when available
• Improved claude -p --resume <name> to accept session titles set via /rename or --name
• Improved settings resilience: an unrecognized hook event name in settings.json no longer causes the entire file to be ignored
• Improved plugin hooks from plugins force-enabled by managed settings to run when allowManagedHooksOnly is set
• Improved /plugin and claude plugin update to show a warning when the marketplace could not be refreshed, instead of silently reporting a stale version
• Improved plan mode to hide the "Refine with Ultraplan" option when the user's org or auth setup can't reach Claude Code on the web
• Improved beta tracing to honor OTEL_LOG_USER_PROMPTS, OTEL_LOG_TOOL_DETAILS, and OTEL_LOG_TOOL_CONTENT; sensitive span attributes are no longer emitted unless opted in
• Improved SDK query() to clean up subprocess and temp files when consumers break from for await or use await using
• Fixed a command injection vulnerability in the POSIX which fallback used by LSP binary detection
• Fixed a memory leak where long sessions retained dozens of historical copies of the message list in the virtual scroller
• Fixed --resume/--continue losing conversation context on large sessions when the loader anchored on a dead-end branch instead of the live conversation
• Fixed --resume chain recovery bridging into an unrelated subagent conversation when a subagent message landed near a main-chain write gap
• Fixed a crash on --resume when a persisted Edit/Write tool result was missing its file_path
• Fixed a hardcoded 5-minute request timeout that aborted slow backends (local LLMs, extended thinking, slow gateways) regardless of API_TIMEOUT_MS
• Fixed permissions.deny rules not overriding a PreToolUse hook's permissionDecision: "ask" — previously the hook could downgrade a deny into a prompt
• Fixed --setting-sources without user causing background cleanup to ignore cleanupPeriodDays and delete conversation history older than 30 days
• Fixed Bedrock SigV4 authentication failing with 403 when ANTHROPIC_AUTH_TOKEN, apiKeyHelper, or ANTHROPIC_CUSTOM_HEADERS set an Authorization header
• Fixed claude -w <name> failing with "already exists" after a previous session's worktree cleanup left a stale directory
• Fixed subagents not inheriting MCP tools from dynamically-injected servers
• Fixed sub-agents running in isolated worktrees being denied Read/Edit access to files inside their own worktree
• Fixed sandboxed Bash commands failing with mktemp: No such file or directory after a fresh boot
• Fixed claude mcp serve tool calls failing with "Tool execution failed" in MCP clients that validate outputSchema
• Fixed RemoteTrigger tool's run action sending an empty body and being rejected by the server
• Fixed several /resume picker issues: narrow default view hiding sessions from other projects, unreachable preview on Windows Terminal, incorrect cwd in worktrees, session-not-found errors not surfacing in stderr, terminal title not being set, and resume hint overlapping the prompt input
• Fixed Grep tool ENOENT when the embedded ripgrep binary path becomes stale (VS Code extension auto-update, macOS App Translocation); now falls back to system rg and self-heals mid-session
• Fixed /btw writing a copy of the entire conversation to disk on every use
• Fixed /context Free space and Messages breakdown disagreeing with the header percentage
• Fixed several plugin issues: slash commands resolving to the wrong plugin with duplicate name: frontmatter, /plugin update failing with ENAMETOOLONG, Discover showing already-installed plugins, directory-source plugins loading from a stale version cache, and skills not honoring context: fork and agent frontmatter fields
• Fixed the /mcp menu offering OAuth-specific actions for MCP servers configured with headersHelper; Reconnect is now offered instead to re-invoke the helper script
• Fixed ctrl+], ctrl+\, and ctrl+^ keybindings not firing in terminals that send raw C0 control bytes (Terminal.app, default iTerm2, xterm)
• Fixed /login OAuth URL rendering with padding that prevented clean mouse selection
• Fixed rendering issues: flicker in non-fullscreen mode when content above the visible area changed, terminal scrollback being wiped during long sessions in non-fullscreen mode, and mouse-scroll escape sequences occasionally leaking into the prompt as text
• Fixed crash when settings.json env values are numbers instead of strings
• Fixed in-app settings writes (e.g. /add-dir --remember, /config) not refreshing the in-memory snapshot, preventing removed directories from being revoked mid-session
• Fixed custom keybindings (~/.claude/keybindings.json) not loading on Bedrock, Vertex, and other third-party providers
• Fixed claude --continue -p not correctly continuing sessions created by -p or the SDK
• Fixed several Remote Control issues: worktrees removed on session crash, connection failures not persisting in the transcript, spurious "Disconnected" indicator in brief mode for local sessions, and /remote-control failing over SSH when only CLAUDE_CODE_ORGANIZATION_UUID is set

... (truncated)

Changelog

Sourced from @​anthropic-ai/claude-code's changelog.

Changelog

2.1.101

• Added /team-onboarding command to generate a teammate ramp-up guide from your local Claude Code usage
• Added OS CA certificate store trust by default, so enterprise TLS proxies work without extra setup (set CLAUDE_CODE_CERT_STORE=bundled to use only bundled CAs)
• /ultraplan and other remote-session features now auto-create a default cloud environment instead of requiring web setup first
• Improved brief mode to retry once when Claude responds with plain text instead of a structured message
• Improved focus mode: Claude now writes more self-contained summaries since it knows you only see its final message
• Improved tool-not-available errors to explain why and how to proceed when the model calls a tool that exists but isn't available in the current context
• Improved rate-limit retry messages to show which limit was hit and when it resets instead of an opaque seconds countdown
• Improved refusal error messages to include the API-provided explanation when available
• Improved claude -p --resume <name> to accept session titles set via /rename or --name
• Improved settings resilience: an unrecognized hook event name in settings.json no longer causes the entire file to be ignored
• Improved plugin hooks from plugins force-enabled by managed settings to run when allowManagedHooksOnly is set
• Improved /plugin and claude plugin update to show a warning when the marketplace could not be refreshed, instead of silently reporting a stale version
• Improved plan mode to hide the "Refine with Ultraplan" option when the user's org or auth setup can't reach Claude Code on the web
• Improved beta tracing to honor OTEL_LOG_USER_PROMPTS, OTEL_LOG_TOOL_DETAILS, and OTEL_LOG_TOOL_CONTENT; sensitive span attributes are no longer emitted unless opted in
• Improved SDK query() to clean up subprocess and temp files when consumers break from for await or use await using
• Fixed a command injection vulnerability in the POSIX which fallback used by LSP binary detection
• Fixed a memory leak where long sessions retained dozens of historical copies of the message list in the virtual scroller
• Fixed --resume/--continue losing conversation context on large sessions when the loader anchored on a dead-end branch instead of the live conversation
• Fixed --resume chain recovery bridging into an unrelated subagent conversation when a subagent message landed near a main-chain write gap
• Fixed a crash on --resume when a persisted Edit/Write tool result was missing its file_path
• Fixed a hardcoded 5-minute request timeout that aborted slow backends (local LLMs, extended thinking, slow gateways) regardless of API_TIMEOUT_MS
• Fixed permissions.deny rules not overriding a PreToolUse hook's permissionDecision: "ask" — previously the hook could downgrade a deny into a prompt
• Fixed --setting-sources without user causing background cleanup to ignore cleanupPeriodDays and delete conversation history older than 30 days
• Fixed Bedrock SigV4 authentication failing with 403 when ANTHROPIC_AUTH_TOKEN, apiKeyHelper, or ANTHROPIC_CUSTOM_HEADERS set an Authorization header
• Fixed claude -w <name> failing with "already exists" after a previous session's worktree cleanup left a stale directory
• Fixed subagents not inheriting MCP tools from dynamically-injected servers
• Fixed sub-agents running in isolated worktrees being denied Read/Edit access to files inside their own worktree
• Fixed sandboxed Bash commands failing with mktemp: No such file or directory after a fresh boot
• Fixed claude mcp serve tool calls failing with "Tool execution failed" in MCP clients that validate outputSchema
• Fixed RemoteTrigger tool's run action sending an empty body and being rejected by the server
• Fixed several /resume picker issues: narrow default view hiding sessions from other projects, unreachable preview on Windows Terminal, incorrect cwd in worktrees, session-not-found errors not surfacing in stderr, terminal title not being set, and resume hint overlapping the prompt input
• Fixed Grep tool ENOENT when the embedded ripgrep binary path becomes stale (VS Code extension auto-update, macOS App Translocation); now falls back to system rg and self-heals mid-session
• Fixed /btw writing a copy of the entire conversation to disk on every use
• Fixed /context Free space and Messages breakdown disagreeing with the header percentage
• Fixed several plugin issues: slash commands resolving to the wrong plugin with duplicate name: frontmatter, /plugin update failing with ENAMETOOLONG, Discover showing already-installed plugins, directory-source plugins loading from a stale version cache, and skills not honoring context: fork and agent frontmatter fields
• Fixed the /mcp menu offering OAuth-specific actions for MCP servers configured with headersHelper; Reconnect is now offered instead to re-invoke the helper script
• Fixed ctrl+], ctrl+\, and ctrl+^ keybindings not firing in terminals that send raw C0 control bytes (Terminal.app, default iTerm2, xterm)
• Fixed /login OAuth URL rendering with padding that prevented clean mouse selection
• Fixed rendering issues: flicker in non-fullscreen mode when content above the visible area changed, terminal scrollback being wiped during long sessions in non-fullscreen mode, and mouse-scroll escape sequences occasionally leaking into the prompt as text
• Fixed crash when settings.json env values are numbers instead of strings
• Fixed in-app settings writes (e.g. /add-dir --remember, /config) not refreshing the in-memory snapshot, preventing removed directories from being revoked mid-session
• Fixed custom keybindings (~/.claude/keybindings.json) not loading on Bedrock, Vertex, and other third-party providers
• Fixed claude --continue -p not correctly continuing sessions created by -p or the SDK
• Fixed several Remote Control issues: worktrees removed on session crash, connection failures not persisting in the transcript, spurious "Disconnected" indicator in brief mode for local sessions, and /remote-control failing over SSH when only CLAUDE_CODE_ORGANIZATION_UUID is set
• Fixed /insights sometimes omitting the report file link from its response
• [VSCode] Fixed the file attachment below the chat input not clearing when the last editor tab is closed

... (truncated)

Commits

• 9772e13 chore: Update CHANGELOG.md
• c5600e0 chore: Update CHANGELOG.md
• d2b2252 Add MDM deployment example templates (#45866)
• 3c72545 Merge pull request #45798 from anthropics/inigo/triage-prompt-accuracy
• 54c7be5 Tighten invalid-label rule and require a category label on new issues
• 22fdf68 chore: Update CHANGELOG.md
• 227817d chore: Update CHANGELOG.md
• b9fbc77 chore: Update CHANGELOG.md
• b543a25 chore: Update CHANGELOG.md
• 1e03cc7 chore: Update CHANGELOG.md
• Additional commits viewable in compare view

Updates @babel/runtime from 7.28.6 to 7.29.2

Release notes

Sourced from @​babel/runtime's releases.

v7.29.2 (2026-03-16)

👓 Spec Compliance

• babel-parser
  • #17840 [7.x backport] async x => {} must be in leading pos (@​JLHwung)

🐛 Bug Fix

• babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3
  • #17805 [7.x backport] fix: Properly handle await in finally (@​liuxingbaoyu)
• babel-preset-env
  • #17789 [7.x backport] preset-env include/exclude should accept bugfix plugins (@​JLHwung)

🏠 Internal

• #17813 chore: update eslint peer deps (@​JLHwung)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.1 (2026-02-04)

🐛 Bug Fix

• babel-standalone
  • #17771 [7.x backport] fix: ensure targets.esmodules is validated (@​JLHwung)
• babel-generator
  • #17776 [7.x backport] Fix undefined when 64 indents (@​liuxingbaoyu)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.0 (2026-01-31)

Thanks @​simbahax for your first PR!

🚀 New Feature

• babel-types
  • #17750 [7.x backport] Add attributes import declaration builder (@​JLHwung)
• babel-standalone
  • #17663 [7.x backport] feat(standalone): export async transform (@​JLHwung)
  • #17725 [7.x backport] feat: read standalone targets from data-targets (@​JLHwung)

🐛 Bug Fix

• babel-parser
  • #17765 fix(parser): correctly parse type assertions in extends clause (@​nicolo-ribaudo)
  • #17723 [7.x backport] fix(parser): improve super type argument parsing (@​JLHwung)
• babel-traverse
  • #17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@​simbahax)
• babel-plugin-transform-block-scoping, babel-traverse
  • #17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@​magic-akari)

... (truncated)

Commits

• 37d5595 v7.29.2
• See full diff in compare view

Updates @borewit/text-codec from 0.2.1 to 0.2.2

Release notes

Sourced from @​borewit/text-codec's releases.

v0.2.2

Changes

🐛 Bug Fixes

• fix: improve encoding correctness and update README @​Borewit (#36)

NPM release

NPM release: @​borewit/text-codec@​0.2.2

Commits

• c2ce9c5 0.2.2
• e2f0705 Merge pull request #23 from Borewit/dependabot/npm_and_yarn/master/chai-6.2.2
• 5e58cb8 Bump chai from 5.2.1 to 6.2.2
• bc315b8 Merge pull request #37 from Borewit/update-biome
• f32adfc Update biome to 2.4.6
• 7776373 Merge pull request #36 from Borewit/fix-most-issue-exodus
• 068d7d4 fix: improve encoding correctness and update README
• See full diff in compare view

Updates @google/genai from 1.42.0 to 1.49.0

Release notes

Sourced from @​google/genai's releases.

v1.49.0

1.49.0 (2026-04-08)

Features

• Introduce TYPE_L16 audio content and optional fields. (c62cb9a)

v1.48.0

1.48.0 (2026-03-31)

Features

• Support dedicated TextAnnotationDelta for streaming tool responses (89552ba)

Bug Fixes

• Fix service_tier enums. (9bdc2ae)

v1.47.0

1.47.0 (2026-03-27)

Features

• Add custom_metadata to FileSearchResult. (083a1e3)
• Add labels field to Veo configs (930c9c3)
• Add mime type for Audio content (1ad80c6)
• Add model_status to GenerateContentResponse (Gemini API only) (5e1110d)
• Add part_metadata in Part (Gemini API only) (5e1110d)
• Add service tier for interactions. (406de38)
• Add service tier to GenerateContent. (0bfe800)
• Add support for more image and audio MIME types in Interactions content (baadbfd)
• Add supported models to the ModelOptions (94642b6)
• genai: add TURN_INCLUDES_AUDIO_ACTIVITY_AND_ALL_VIDEO to TurnCoverage (fdacac2)
• support hyperparameters in distillation tuning (716e021)
• Support rendered_parts in GroundingSupport (5e1110d)

Bug Fixes

• support us region routing (d391cff)

v1.46.0

1.46.0 (2026-03-17)

Breaking changes

... (truncated)

Changelog

Sourced from @​google/genai's changelog.

1.49.0 (2026-04-08)

Features

• Introduce TYPE_L16 audio content and optional fields. (c62cb9a)

1.48.0 (2026-03-31)

Features

• Support dedicated TextAnnotationDelta for streaming tool responses (89552ba)

Bug Fixes

• Fix service_tier enums. (9bdc2ae)

1.47.0 (2026-03-27)

Features

• Add custom_metadata to FileSearchResult. (083a1e3)
• Add labels field to Veo configs (930c9c3)
• Add mime type for Audio content (1ad80c6)
• Add model_status to GenerateContentResponse (Gemini API only) (5e1110d)
• Add part_metadata in Part (Gemini API only) (5e1110d)
• Add service tier for interactions. (406de38)
• Add service tier to GenerateContent. (0bfe800)
• Add support for more image and audio MIME types in Interactions content (baadbfd)
• Add supported models to the ModelOptions (94642b6)
• genai: add TURN_INCLUDES_AUDIO_ACTIVITY_AND_ALL_VIDEO to TurnCoverage (fdacac2)
• support hyperparameters in distillation tuning (716e021)
• Support rendered_parts in GroundingSupport (5e1110d)

Bug Fixes

• support us region routing (d391cff)

1.46.0 (2026-03-17)

Breaking changes

• [Interactions] Breaking change to Interactions API to refactor TextContent annotations to use specific citation types (9fa8b1d)
• [Interactions] Breaking change for Interactions, rename ContentDelta unions. (917f24f)
• [Interactions] Breaking change to Interactions API to rename rendered_content to search_suggestions (cc6bd38)

... (truncated)

Commits

• 9deedb7 chore(main): release 1.49.0 (#1457)
• c386d0c docs: Remove deprecated product recontext model samples from docstrings
• 5ab2463 chore(interaction-api): Add Vertex AI Search and Enterprise Web Search to Int...
• 227e509 chore: Remove/update tests for the deprecated product recontext model.
• 850fbec chore: Remove constrain for Vertex AI in interactions.
• c62cb9a feat: Introduce TYPE_L16 audio content and optional fields.
• a5b2018 chore: Add missing modality types
• 4b59428 chore: pull in change from custom code
• 2b064e0 Copybara import of the project:
• 14b6203 chore: internal change
• Additional commits viewable in compare view

Updates @hono/node-server from 1.19.9 to 1.19.14

Release notes

Sourced from @​hono/node-server's releases.

v1.19.14

What's Changed

• fix: add custom inspect to lightweight Request/Response to prevent TypeError on console.log by @​usualoma in honojs/node-server#340

Full Changelog: honojs/node-server@v1.19.13...v1.19.14

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

• chore: ignore claude setting by @​yusukebe in honojs/node-server#314
• fix: request draining for early 413 responses by @​usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

• fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @​usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

Commits

• b5e63a3 1.19.14
• c02d777 fix: add custom inspect to lightweight Request/Response to prevent TypeError ...
• fd64e65 1.19.13
• 025c30f Merge commit from fork
• 6cdb5a7 1.19.12
• 70250f7 fix: request draining for early 413 responses (#329)
• cfc08b3 chore: ignore claude setting (#314)
• ecd4d6b 1.19.11
• c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
• 2f8ca36 1.19.10
• Additional commits viewable in compare view

Updates @modelcontextprotocol/sdk from 1.26.0 to 1.29.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.29.0

What's Changed

• fix: treat v1.x as primary branch for npm latest tag (backport #1577) by @​felixweinberger in modelcontextprotocol/typescript-sdk#1749
• [v1.x] fix: disallow null (infinite) requested TTL by @​LucaButBoring in modelcontextprotocol/typescript-sdk#1339
• [v1.x] fix: add missing size field to ResourceSchema by @​olaservo in modelcontextprotocol/typescript-sdk#1575
• Add typings exports by @​tdraier in modelcontextprotocol/typescript-sdk#1623
• v1.x npm audit fix by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1780
• v1.x #1623 follow up -add missing types to package.json by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1773
• [v1.x backport] Allow servers / clients to advertise extensions in the capability object by @​localden in modelcontextprotocol/typescript-sdk#1811
• fix(stdio): always set windowsHide on Windows, not just in Electron by @​jnMetaCode in modelcontextprotocol/typescript-sdk#1640
• chore: bump version to 1.29.0 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1820

New Contributors

• @​tdraier made their first contribution in modelcontextprotocol/typescript-sdk#1623
• @​jnMetaCode made their first contribution in modelcontextprotocol/typescript-sdk#1640

Full Changelog: modelcontextprotocol/typescript-sdk@v1.28.0...v1.29.0

v1.28.0

What's Changed

• feat: use scopes_supported from resource metadata by default (fixes #580) by @​antogyn in modelcontextprotocol/typescript-sdk#757
• [v1.x backport] Default to client_secret_basic when server omits token_endpoint_auth_methods_supported by @​pcarleton in modelcontextprotocol/typescript-sdk#1611
• fix: reject plain JSON Schema objects passed as inputSchema by @​tiluckdave in modelcontextprotocol/typescript-sdk#1596
• fix: clear _timeoutInfo in _onclose() and scope .finally() abort controller cleanup by @​pcarleton in modelcontextprotocol/typescript-sdk#1462
• fix(server/auth): RFC 8252 loopback port relaxation by @​poteat in modelcontextprotocol/typescript-sdk#1738
• chore: bump version to 1.28.0 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1746

New Contributors

• @​antogyn made their first contribution in modelcontextprotocol/typescript-sdk#757
• @​tiluckdave made their first contribution in modelcontextprotocol/typescript-sdk#1596
• @​poteat made their first contribution in modelcontextprotocol/typescript-sdk#1738

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.1...v1.28.0

v1.27.1

What's Changed

• feat: implement auth/pre-registration conformance scenario by @​felixweinberger in modelcontextprotocol/typescript-sdk#1545
• docs: add governance documentation for SEP-1730 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1547
• docs: comprehensive feature documentation for SEP-1730 Tier 1 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1548
• fix: prevent command injection in example URL opening (v1.x backport) by @​maxisbey in modelcontextprotocol/typescript-sdk#1579
• fix: call onerror for silently swallowed transport errors by @​qing-ant in modelcontextprotocol/typescript-sdk#1580
• chore: bump version to 1.27.1 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1581

New Contributors

• @​qing-ant made their first contribution in modelcontextprotocol/typescript-sdk#1580

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.0...v1.27.1

v1.27.0

What's Changed

... (truncated)

Commits

• e12cbd7 chore: bump version to 1.29.0 (#1820)
• 3913fd4 fix(stdio): always set windowsHide on Windows, not just in Electron (#1640)
• 5608e78 [v1.x backport] Allow servers / clients to advertise extensions in the capabi...
• 7213816 v1.x #1623 follow up -add missing types to package.json (#1773)
• 364f38c v1.x npm audit fix (#1780)
• c95cc09 Add typings exports (#1623)
• ddadaa6 [v1.x] fix: add missing size field to ResourceSchema (#1575)
• 2a15851 [v1.x] fix: disallow null (infinite) requested TTL (#1339)
• 13e30f1 fix: treat v1.x as primary branch for npm latest tag (backport #1577) (#1749)
• a056569 chore: bump version to 1.28.0 (#1746)
• Additional commits viewable in compare view

Updates @supabase/supabase-js from 2.97.0 to 2.103.0

Release notes

Sourced from @​supabase/supabase-js's releases.

v2.103.0

2.103.0 (2026-04-09)

🚀 Features

• postgrest: add stripNulls method for null value stripping (#2189)
• storage: add cacheNonce parameter for download (#2234)

🩹 Fixes

• postgrest: fix scalar computed column type inference for isNotNullable and SETOF scalar (#2224)

❤️ Thank You

• Katerina Skroumpelou @​mandarini
• Seydi Charyyev @​TheSeydiCharyyev
• Vaibhav @​7ttp

v2.103.0-canary.2

2.103.0-canary.2 (2026-04-09)

🚀 Features

• postgrest: add stripNulls method for null value stripping (#2189)
• storage: add cacheNonce parameter for download (#2234)
• supabase: export PostgrestFilterBuilder and StorageApiError from supabase-js (#2222)

🩹 Fixes

• auth: downgrade console.error to console.warn for missing session (#2214)
• functions: add toJSON to FunctionsError for correct JSON serialization (#2226)
• postgrest: fix scalar computed column type inference for isNotNullable and SETOF scalar (#2224)
• storage: set correct content-type for uploads (#2211)
• storage: avoid duplicate content-type headers in vector requests (#2220)

❤️ Thank You

• Katerina Skroumpelou @​mandarini
• oniani1
• Seydi Charyyev @​TheSeydiCharyyev
• Vaibhav @​7ttp

v2.103.0-canary.1

2.103.0-canary.1 (2026-04-09)

🚀 Features

• storage: add cacheNonce parameter for download (#2234)
• supabase: export PostgrestFilterBuilder and StorageApiError from supabase-js (

[dependabot]

Assignees

The following users could not be added as assignees: llm-dev-ops/maintainers. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

🔒 Security Scan Results

Scan Type	Status
Dependency Scan	⚠️ failure
CodeQL Analysis	✅ success
Secret Scan	✅ success
License Check	⚠️ failure
SAST	⚠️ failure

⚠️ Some security scans have warnings or failed. Please review the details.

---

Automated security scanning by GitHub Actions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.